Google’s September 2025 Android security bulletin addresses a significant security event, patching 120 vulnerabilities across the platform and partner components1. The update is critical as it includes fixes for two zero-day vulnerabilities, CVE-2025-38352 and CVE-2025-48543, which were confirmed to be under limited, targeted exploitation before patches were available23. This release occurs within a threat landscape marked by increasing automation of attacks, as evidenced by the reported use of AI-powered tools like Hexstrike-AI to weaponize vulnerabilities rapidly4. The urgency for organizations to apply these patches is exceptionally high.
Technical Analysis of Exploited Vulnerabilities
The two actively exploited vulnerabilities represent different attack vectors and component targets. CVE-2025-38352 is an elevation of privilege (EoP) vulnerability within the Linux Kernel’s POSIX CPU timers subsystem1. The flaw is a race condition between the `handle_posix_cpu_timers()` and `posix_cpu_timer_del()` functions. Under specific timing conditions during task exit, an attacker could disrupt the task cleanup process, potentially leading to kernel instability, privilege escalation, denial of service, or system crashes. Google’s Threat Analysis Group (TAG) discovered and reported this kernel flaw, indicating its exploitation was likely part of targeted spyware campaigns5. The vulnerability has a CVSS score of 7.4 (High)6.
The second flaw, CVE-2025-48543, is an elevation of privilege vulnerability in the Android Runtime (ART) component1. This vulnerability could allow a malicious application to bypass standard sandbox restrictions and gain elevated system capabilities without requiring any user interaction. This makes it particularly dangerous, as it could be chained with other exploits to achieve a full device compromise. As reported by security analysts, exploitation attempts for this ART vulnerability have been observed in the wild3. It affects Android versions 13, 14, 15, and 16.
Critical and High-Severity Patches
Beyond the zero-days, the bulletin addresses several other severe vulnerabilities. The most critical is CVE-2025-48539, a remote code execution (RCE) flaw in the System component1. An attacker within Bluetooth or Wi-Fi proximity could exploit this to execute arbitrary code on a target device without user interaction or additional privileges. This class of vulnerability is a primary concern for espionage campaigns, as it can facilitate silent device compromise and be developed into wormable exploits.
The update also includes patches for three critical-severity vulnerabilities in closed-source Qualcomm components. These issues, including CVE-2025-21483 and CVE-2025-27034, affect proprietary elements like the modem and digital signal processor (DSP). CVE-2025-21483 is a memory corruption flaw in the data network stack during video reassembly from RTP packets, where specially crafted network traffic can trigger out-of-bounds writes to enable RCE. CVE-2025-27034 is an array index validation bug in the multi-mode call processor, where malicious network responses can corrupt memory and enable code execution in the modem baseband7.
Vulnerability Breakdown and Patch Levels
The full scope of the September update is extensive. While the initial Android bulletin listed 84 vulnerabilities, the total count from Google and its silicon partners (Qualcomm, MediaTek, Arm) reached 1201. This includes 27 vulnerabilities specific to Qualcomm components. The types of flaws patched are diverse: over 60 elevation of privilege (EoP) issues, more than 20 information disclosure (ID) flaws, approximately 10 denial of service (DoS) vulnerabilities, and 4 remote code execution (RCE) bugs.
Google uses two security patch levels for this release. The **2025-09-01** patch level addresses vulnerabilities in the Android framework and core components like the Android Runtime, Framework, and System. The **2025-09-05** patch level is comprehensive and includes all fixes, particularly those for the kernel and hardware-specific components from Qualcomm, MediaTek, and Arm1. Devices must be updated to the 2025-09-05 patch level to be considered fully protected against all disclosed vulnerabilities. It is important to note that devices running Android 12 or earlier are considered end-of-life and will not receive these patches, leaving them permanently vulnerable.
Broader Threat Context and Mitigation
The discovery and active exploitation of these zero-days coincide with reports of advanced attack automation. A tool dubbed “Hexstrike-AI” was reported to be used by threat actors to autonomously exploit zero-day vulnerabilities in as little as 10 minutes4. This capability dramatically shortens the time between vulnerability disclosure and widespread weaponization, increasing the pressure on organizations to patch immediately. While platform protections like Google Play Protect can help monitor for malicious applications, they are not a substitute for applying the underlying system security patches.
For system administrators and security teams, the immediate priority is to verify and enforce patch deployment across all managed Android devices. The update process typically involves navigating to **Settings > System > Software updates > System update** (or a similar path like **Settings > Security and privacy > System and updates > Security update**) and manually checking for updates. Device manufacturers like Samsung release their own September Maintenance Releases (SMR), which bundle these core Android patches with additional vendor-specific fixes8.
The patching of two actively exploited zero-day vulnerabilities in Android’s core components is a stark reminder of the sophistication of the mobile threat landscape. The technical details of these flaws—a kernel race condition and an ART sandbox escape—highlight the ongoing arms race between platform security and advanced exploit development. The concurrent emergence of AI-powered exploitation tools signifies a shift towards more automated and rapid attacks. For security professionals, this underscores the non-negotiable requirement for rigorous and timely patch management processes. Defensive strategies must also incorporate robust device fleet visibility, threat hunting for indicators of compromise related to these CVEs, and user education regarding the risks of running end-of-life devices. This bulletin represents a critical update that demands immediate action to mitigate tangible risks to organizational data and infrastructure.
